Skip to content

Understanding Error Codes

vendeeglobe edited this page Jul 8, 2026 · 1 revision

Understanding Error Codes

When Bad Behavior blocks a request, it generates a specific 8-character hexadecimal "status key" (e.g., 17f4e8c8). This key is logged in your database and displayed to the blocked user on the 403 error page.

This status key corresponds to a specific rule that was triggered. Below is a list of the most common error codes and their meaning to help you troubleshoot why an IP was banned.

Common Error Codes

  • 17f4e8c8: User-Agent was found on blacklist.
    • Explanation: The User-Agent string matched a known spambot, vulnerability scanner, or email harvester.
  • 96c0bd29: URL pattern found on blacklist.
    • Explanation: The requested URL contained known malicious patterns (like SQL injection probes union+select or path traversal ../).
  • 136673cd: IP address found on external blacklist.
    • Explanation: The IP was found on an external DNS Blackhole List (e.g., Spamhaus) or http:BL.
  • 17566707: Required header 'Accept' missing.
    • Explanation: Normal web browsers and well-behaved bots always send an Accept header. Missing this usually indicates a primitive bot script.
  • a1084bad: User-Agent claimed to be MSIE, with invalid Windows version.
    • Explanation: The user agent claimed to be Internet Explorer but contained a Windows version string that MSIE never actually uses (e.g., "Windows ME" or "Windows XP" directly in the UA).
  • 2b90f772: Connection: TE present, not supported by MSIE.
    • Explanation: IE doesn't use the Connection: TE header. If this is present alongside an MSIE user agent, it is a spoofed bot.
  • 939a6fbb: Banned proxy server in use.
    • Explanation: The Via header revealed the use of a known spam proxy (like "pinappleproxy").
  • cd361abb: Referer did not point to a form on this site.
    • Explanation: A POST request was made, but the HTTP Referer indicated the form was submitted from an off-site location (unless Allow Offsite Forms is enabled).
  • dfd9b1ad: Request contained a malicious JavaScript or SQL injection attack.
    • Explanation: The POST data or URI contained active exploit payloads like document.write or SQL injection markers.
  • f9f2b8b9: A User-Agent is required but none was provided.
    • Explanation: A POST request was made with a completely empty User-Agent string, which legitimate browsers never do.
  • 7ad04a8a: Prohibited header 'Range' present.
    • Explanation: A Range header starting at 0- was detected. Real browsers do not request byte ranges starting at 0; this is a hallmark of specific scraping bots.
  • f1182195 / 71436a15 / e4de0453: User-Agent claimed to be a major search engine, claim appears to be false.
    • Explanation: The bot claimed to be Googlebot, Yahoo, or MSN, but the IP address did not match the official CIDR ranges for those search engines.
  • e87553e1: I know you and I don't like you, dirty spammer.
    • Explanation: A hardcoded block for specific, highly persistent spammer IP addresses.

If a legitimate user is blocked and gives you a code, you can look it up here to explain to them what part of their browser, proxy, or firewall is misconfigured.

Clone this wiki locally